Cisco has recently disclosed a new zero-day vulnerability, known as CVE-2023-20273, which allowed cybercriminals to deploy malware on IOS XE devices that were already compromised via another zero-day vulnerability, CVE-2023-20198. The company, which disclosed the initial zero-day last week, revealed the new vulnerability and its implications for affected devices. According to a report by BleepingComputer, Cisco stated that fixes for both CVE-2023-20198 and CVE-2023-20273 are expected to be available on October 22.
Before the fix became available, Censys data showed that nearly 42,000 Cisco devices had already been compromised by the backdoor. However, it appeared that the number of compromised devices was decreasing steadily. The decrease in compromised devices was initially perceived as a positive development. Unfortunately, this decline turned out to be illusory.
Researchers from Fox-IT discovered the reason behind the sudden drop in compromised devices. They found that the malware implant had been altered to check for an Authorization HTTP header value before responding. As a result, the implant was no longer responding to requests from unauthorized sources, leading to a significant decrease in detected compromised devices.
However, using a different fingerprinting method, Fox-IT was able to identify 37,890 Cisco devices that remained compromised despite the apparent decline. This finding highlights the importance of thorough investigations and the need to consider alternative methods of detection when evaluating the scope of a cyberattack.
CVE-2023-20198 received the highest Common Vulnerability Scoring System (CVSS) score, which indicates its criticality. This vulnerability enables attackers to gain full administrator privileges on compromised devices. Once they have access, the attackers then exploit the second vulnerability, CVE-2023-20273, to run arbitrary commands and gain root privileges, effectively taking complete control of the device.
In response to the incident, Paul Laudanski, Director of Security Research at Onapsis, emphasized the importance of implementing time limits on access. He suggested that organizations should go beyond simply locking down access and instead introduce additional layers of defense while monitoring for abnormal activity and behavior. This includes monitoring for lateral movement, privilege escalation, network access, web access, and tracking the source of origin in comparison to the accessed resources.
Laudanski outlined three steps that organizations should take to respond to a zero-day attack. Firstly, detection is crucial, and organizations should monitor and detect abnormal activity and behavior across their networks. They should also identify external endpoints and restrict access to trusted IP spaces. Additionally, implementing a comprehensive vulnerability management program, including regular red teaming exercises, can help identify and mitigate potential vulnerabilities in externally accessible assets.
The disclosure of these zero-day vulnerabilities highlights the importance of prompt action by organizations to install the necessary fixes and protect their networks from potential cyberattacks. With the availability of patches scheduled for October 22, affected Cisco device users are encouraged to update their systems as soon as possible to mitigate the risks associated with these vulnerabilities. It is essential for organizations to remain vigilant, stay informed about emerging threats, and implement robust security measures to safeguard their networks and data.